General
-
Target
Doc_2024.342.2420329_2.pdf.rar
-
Size
686KB
-
Sample
241018-h2163swhnm
-
MD5
6acffabf04ed64b2857c6003949c69d8
-
SHA1
e47cdf54d7b4a097ff8d7e2b6beeff19997b4051
-
SHA256
5fa3a2796eaf9563333a8da8feae53d42fc90d4ab3de1dbb1bb38d4c3923945c
-
SHA512
8f7d2a46fbc95fdc71378259caaf253602df422086f4a7131639ea7c4ee21c7b15e781e9322c03a8df8c54857fabfd269951223a332557228ef085c6f09fc856
-
SSDEEP
12288:ifI9udgJkGb9kBswqAcGhk/0w7onhoUrrLNH4duopa+isbTk7lRn4aQbjt45Hw9M:ifGPUBhqzz0BRBH+ISbulubj65DsZNa
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
smtp.securemail.pro - Port:
587 - Username:
[email protected] - Password:
jrpM0Y5k - Email To:
[email protected]
Targets
-
-
Target
Materien.exe
-
Size
752KB
-
MD5
da48313586a7ed35308c3d7b730be3a8
-
SHA1
3ccfbbce591a3f16cc620984d2be7929fd7c69a5
-
SHA256
802900953255394194cffac091a16c4edbee0cacb91ea43823ed2e36b5b4a3c4
-
SHA512
5fc0666e58ff30541c5205de42009ca9340308dd3c664b9b1e28ebaffdb7ee2ed24ad584b1de2157472ef2ce172dc84fee0521d6729c7e8af27573eeae49a186
-
SSDEEP
12288:jGHXvdN4G9MMe/OdNDqJ83eCOyGOs61IYZVAecgs9FMa1Mdq8jJa:juNNesNlLDGMIYO7MoOa
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Loads dropped DLL
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-